This notification is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs).
It applies to BD products in scope in addition to products that are not actively supported by BD.
BD engages in proactive communication around cybersecurity issues that have the potential to either directly or indirectly impact our products. Vulnerability disclosure is an essential component of BD’s culture of transparency to help ensure that customers have the necessary information to properly assess potential cybersecurity risks, even those caused by third-party software and/or operating systems.
The content of this notification was voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs) in which BD participates, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the National Health Information Sharing and Analysis Center (NH-ISAC), even though these products are not sold or used in the U.S. There have been no reports of this vulnerability being exploited.
This notification applies to the following products, with software version 2.3.6 and below:
- Alaris™ GS (not actively supported)
- Alaris™ GH
- Alaris™ CC
- Alaris™ TIVA
Note: Only software versions for 2.3.6 and below are impacted. Software version 2.3.6 was released in 2006. These pumps were previously sold under the Asena brand. This does not apply to Alaris™ Medley devices. None of these products are sold in the United States.
BD has been made aware of a potential vulnerability that can impact various Alaris™ Syringe Pumps sold and used outside of the United States. If exploited, this vulnerability may allow an attacker to gain remote access to devices when connected to a terminal server via the serial port. This potential vulnerability does not affect the Alaris™ Syringe Module sold in the United States.
To execute this attack one would need to ensure the affected device is connected to a terminal server via the serial port, have an understanding of the device communication protocol, have access to specific driver software to implement the pump protocol communication and the ability to penetrate a customer network and gain unauthorized access to terminal server devices.
This vulnerability cannot be performed if the device is connected to an Alaris™ Gateway Workstation docking station. No PHI or PII can be accessed by executing this vulnerability.
CyberMDX, a security vendor, originally made BD aware of this vulnerability to the Alaris™ TIVA Syringe Pump.
Clinical Risk Assessment and Patient Safety Impact
BD has assessed this vulnerability for clinical impact and concluded that the probability of an unauthorized breach in network security that impacts the delivery of a patient’s IV infusion is negligible due to the sequence of events that must occur in a specific order by a highly trained attacker.
Product Security Risk Assessment and Vulnerability Score
BD has conducted internal risk assessments for this vulnerability and has also collaborated with Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), and independent security researchers to review baseline and temporal Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within your own organization.
CVSS 9.4 (critical) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
The device does not perform authentication for functionality that requires a provable user identity. The attack complexity is low as there are no specific requirements for customer implementation, however an attacker would need to breach a customer network and obtain privileges to exploit this vulnerability. This vulnerability is missing authentication for remote connections. While no physical access is required, the device must be turned on for this vulnerability to be successful. This vulnerability cannot switch the device on remotely. This vulnerability will only affect the pump resulting in an unchanged scope.
Only patient weight and infusion medication is stored on the device, therefore confidential information results in a score of low. There is no PHI or PHII stored on the device. While an attacker would not be able to disable the pump completely, there may be intermittent loss, which would cause availability to have a high impact. Integrity is high as an attacker can potentially modify the rate of infusion.
Mitigations & Compensating Controls
BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability:
- This attack utilizes a known vulnerability in terminal servers. BD does not recommend customers utilize a terminal server. Customers who utilize terminal servers should understand that terminal server use is not supported.
- Customers should ensure they are operating these devices in a segmented network environment or as a stand-alone device
- Customers should utilize connections via the Alaris™ Gateway Workstation docking station, which would inactivate the remote control feature
For More Information
For more information on BD's proactive approach to product security and vulnerability management, contact our Product Security Office:
Product Security Bulletin for Infusion